view release on metacpan or  search on metacpan

lib/Apache2/Controller/Auth/OpenID.pm  view on Meta::CPAN

including when the local session times out.  If they come back
after a while and click a submit button, but either their
local session has timed out or their OpenID server session
has timed out through whatever mechanism that uses, then after
they log into OpenID and are redirected back to the protected
area, the GET params and POST body are restored, and it will
do what the user expected when they clicked the submit button.

This behavior
is a feature, so it is enabled by default, but it may not
be expected, so you can turn it off by using the directive
flag C<< A2C_Auth_OpenID_NoPreserveParams >>.

=head1 DIRECTIVES

L<Apache2::Controller::Directives/Apache2::Controller::Auth::OpenID>

=head1 CACHING

If you want to provide a cache for L<Net::OpenID::Consumer>
to pass onto L<URI::Fetch>, subclass this module and implement
a method C<< cache() >> that returns the appropriate cache object.

=head1 CAVEATS

I have heard there are trickier things one can do to ensure the
security of a session based cookie.  This module just implements
a simple association of a user with a session key by storing a flag
and a last-accessed time value in the session hash, nothing fancier.
If you have recommendations, please let me know.

This calls C<< $r->connection->get_remote_host >> and saves it
in the C<< {a2c}{openid} >> section of the session hash.  So if
you don't want it to do DNS lookups, set directive C<< HostNameLookups off >>.

=cut

use strict;
use warnings FATAL => 'all';
use English '-no_match_vars';

use Carp qw( longmess );

use base qw( 
    Apache2::Controller::NonResponseRequest 
);

use Log::Log4perl qw(:easy);
use YAML::Syck;
use Digest::SHA qw( sha224_base64 );
use Net::OpenID::Consumer;
use URI;
use List::MoreUtils qw(any);

use Apache2::Const -compile => qw( OK SERVER_ERROR REDIRECT );

use Apache2::Controller::X;

=head2 new

Overloaded constructor will always throw an L<Apache2::Controller::X>
because this module does not work.

=cut

sub new {
    a2cx __PACKAGE__." is disabled, does not work, do not use.";
}

# hopefully we get the same default consumer secret as in top level
use Apache2::Controller::Const qw( $DEFAULT_CONSUMER_SECRET );

=head1 OVERLOADABLE METHODS

The only method which should be overloaded in your subclass
is C<< get_uname( $openid_url ) >> which returns the username
string that corresponds to the openid url supplied by the cookie.
When overloading, you get the RequestRec in C<< $self->{r} >>.

=head2 get_uname

 my $uname = $self->get_uname($openid_url);

Takes a string which is the supplied openid_url.
You can overload C<< get_uname >> to supply it
by some other means, such as by LDAP.

=cut

sub get_uname {
    my ($self, $openid_url) = @_;

    a2cx "get_uname() requires an openid_url string param"
        if !$openid_url || ref $openid_url;

    my $conf = $self->{conf};

    my $pnotes = $self->pnotes;
    DEBUG sub { "pnotes: ".Dump($pnotes) };

    my $dbh = $self->pnotes->{a2c}{ $conf->{dbi_name} }
        || a2cx "Database handle '$conf->{dbi_name}' is not connected in pnotes"
            ." for default handler ".__PACKAGE__;

    my $uname;
    eval {
        ($uname) = $dbh->selectrow_array(
            qq| SELECT  $conf->{user_field} 
                FROM    $conf->{table} 
                WHERE   $conf->{url_field} = ? 
            |, undef, $openid_url
        );
    };
    a2cx "Error in default get_uname() from dbh: $EVAL_ERROR"
        if $EVAL_ERROR;

    return $uname;
}

=head1 INTERNAL METHODS